Browsed byMonth: May 2016

So: you get a letter or email telling you some of your personal data has been handled carelessly by yet another provider, and squirted into the darknet. Yours and 112 million others’. How do you feel when you see that? Are you enveloped in a sense of urgency… do you spring into action implementing all the corrective measures suggested?

Me neither.

I mean, we know we should. But look at it this way. Our lives and records, the core that matters, are already locked down pretty well. Our banks ping us with fraud alerts if we so much as cross state lines and buy gasoline or coffee. Our credit reports should have been on deep freeze for ten years already.

The pace of new disclosures only accelerates. But when the adrenaline is gone, it’s gone.

…but to do it correctly! Don’t just randomly start running around the Sonora Desert snapping pictures of ball lightning or lenticular clouds. No, no, you should go read the CIA’s guide, How to Investigate a Flying Saucer.

“My tax dollars at work!”, I hear you thinking. But I have just listened to a fairly convincing talk whose thesis is, That is really a very usable framework for computer security incident response. I see the point, but I am going to have to investigate it further and see how far the analogy stretches.

Yesterday I wrote about why there will always be strong encryption. Encryption is only a technology – it can enhance both security and liberty, and it can damage both. The more potential it has to enable criminals and terrorists the more it also serves to protect privacy, necessary military secrets and financial transactions and assets.

If you believe that criminals and terrorists outweigh the lawful military, corporations and private citizens who benefit from strong encryption, I feel sorry for the blighted world you live in. Where I live, such evildoers are but a flea-bite in comparison.

The people who want to scare you into letting them outlaw good encryption only want it outlawed for you. Not for them. What they want to protect is their power. The good news is that bypassing their schemes is almost laughably easy.

Pretty optimistic for me, you might think. But I think it’s inevitable.

In the constant information-security arms race between attackers and defenders, attackers are said to have the upper hand. After all, attackers only need to be right (or get lucky) once, while defenders have to be perfect, every time. The probabilities favor the attackers there, obviously.

But in the case of strong encryption as a thing that is available to ordinary people, the defender/attacker equation flips. Every successful or semi-successful attack against the state of the art motivates the art to grow to a better state. Example: an attack against SHA-1 that reduced the cost of a probable successful find of a collision from $700K to maybe as low as $75K was enough to motivate the deprecation of SHA-1 and the rapid adoption of SHA-2 and SHA-3

While individual uses of encryption can still be compromised, that occurs mostly due to poor key management or simply defects in implementations. Defects, once found, tend to get fixed. Key management demands attention to detail and constant vigilance, but then, so does driving safely to work each day. And just as autonomous vehicles are on the way to replacing faulty humans at guiding cars’ maneuvers in and out of traffic, automated tools at every layer are making usable encryption good, and good encryption usable.

I think we can actually trust the development community to keep the available encryption open for use well ahead of its attackers.

Now if only I could get users to stop using “P@55word” for a password.

Once I decided I was quitting Mint, I saw no reason to get sentimental about it or procrastinate. I did the heavy lifting this past Sunday, and now I am in the yak-shaving stage. AKA the fun part. It’s revelatory, how so many of the things I thought were just a part of any desktop Linux, are actually Mint- or Ubuntu-specific.

I would be remiss if I did not pay a huge shout out Aptik by TeeJee, without which I would have had to do dozens more hours of real work. Aptik makes migrations between Debian-family Linux distros way easier than we have any right to expect.

Verizon just released its annual, much anticipated Data Breach Report (at least peruse the executive summary if not the full report). This year they had a close-to-home item for their report: their own data breach, which resulted in the leak of some 1.5 million of their own customers’ records.

There’s one thing that does not surprise me, and it’s because I make my living in Information Security and don’t watch CSI:Cyber. It’s that most attacks — most successful attacks — against information infrastructures are not enabled by superior technological feats, genius hackers or 0-day vulnerabilities. The plurality (at least) of successful attacks result from this forehead-slapper of an obvious sequence:

Employee responds to a phishing email by clicking on one of its links

Malware is installed on said employee’s computer

Attacker leverages the foothold thus provided and the result winds up on pastebin

Hint: “clicking on phishing links” is in that top bar

There are some variations on the theme but the result is depressingly the same every time. Unless an organization has a resilience and a defense-in-depth approach baked into everything, they are much more likely than not to wind up fighting a rearguard action and repairing damage rather than preventing it.

It’s a truism among information security folks: first, train everyone. The absolute priority of an infosec manager’s budget should be awareness training for all the employees. No fancy next-generation firewalls or behavioral-analysis anti-malware can take the place of the admin who just Does. Not. Click. On. Dodgy. Links.